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Abstract 


The Plan Execution Interchange Language (PLEXIL) is a synchronous language 
developed by NASA to support autonomous spacecraft operations. In this paper, 
we propose a rewriting logic semantics of PLEXIL in Maude, a high-performance 
logical engine. The rewriting logic semantics is by itself a formal interpreter of 
the language and can be used as a semantic benchmark for the implementation of 
PLEXIL executives. The implementation in Maude has the additional benefit of 
making available to PLEXIL designers and developers all the formal analysis and 
verification tools provided by Maude. The formalization of the PLEXIL semantics 
in rewriting logic poses an interesting challenge due to the synchronous nature of the 
language and the prioritized rules defining its semantics. To overcome this difficulty, 
we propose a general procedure for simulating synchronous set relations in rewriting 
logic that is sound and, for deterministic relations, complete. We also report on the 
finding of two issues at the design level of the original PLEXIL semantics that were 
identified with the help of the executable specification in Maude. 


1 Introduction 

Synchronous languages were introduced in the 1980s to program reactive systems , 
i.e., systems whose behavior is determined by their continuous reaction to the envi- 
ronment where they are deployed. Synchronous languages are often used to program 
embedded applications and automatic control software. The family of synchronous 
languages is characterized by the synchronous hypothesis, which states that a reac- 
tive system is arbitrarily fast and able to react immediately in no time to stimuli 
from the external environment. One of the main consequences of the synchronous 
hypothesis is that components running in parallel are perfectly synchronized and 
cannot arbitrarily interleave. The implementation of a synchronous language usually 
requires the simulation of the synchronous semantics into an asynchronous computa- 
tion model. This simulation must ensure the validity of the synchronous hypothesis 
in the target asynchronous model. 

The Plan Execution Interchange Language (PLEXIL) [9] is a synchronous lan- 
guage developed by NASA to support autonomous spacecraft operations. Space 
mission operations require flexible, efficient and reliable plan execution. The com- 
puter system on board the spacecraft that executes plans is called the executive 
and it is a safety-critical component of the space mission. The Universal Executive 
(UE) [20] is an open source PLEXIL executive developed by NASA 1 . PLEXIL and 
the UE have been used on mid-size applications such as robotic rovers and a pro- 
totype of a Mars drill, and to demonstrate automation for the International Space 
Station. 

Given the critical nature of spacecraft operations, PLEXIL’s operational seman- 
tics has been formally defined [8] and several properties of the language, such as 
determinism and compositionality, have been mechanically verified [7] in the Pro- 
totype Verification System (PVS) [13]. The formal small-step semantics is defined 

L http : / /plexil . sourcef orge . net . 
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using a compositional layer of five reduction relations on sets of nodes. These nodes 
are the building blocks of a PLEXIL plan and represent the hierarchical decompo- 
sition of tasks. The atomic relation describes the execution of an individual node 
in terms of state transitions triggered by changes in the environment. The micro 
relation describes the synchronous reduction of the atomic relation with respect to 
the maximal redexes strategy , i.e., the synchronous application of the atomic rela- 
tion to the maximal set of nodes of a plan. The remaining three relations are the 
quiescence relation , the macro relation and the execution relation which describe the 
reduction of the micro relation until normalization, the interaction of a plan with 
the external environment, and the n-iteration of the macro relation corresponding 
to n time-steps, respectively. From an operational point of view, PLEXIL is more 
complex than general purpose synchronous languages such as Esterel [2] or Lus- 
tre [4] . PLEXIL is designed specifically for flexible and reliable command execution 
in autonomy applications. 

In this paper, we propose a rewriting logic semantics of PLEXIL in Maude [5] 
that complements the small-step structural operational semantics written in PVS. In 
contrast to the PVS higher-order logic specification, the rewriting logic semantics of 
PLEXIL is executable. Indeed, the Maude specification is by itself an interpreter of 
the language. This interpreter is intended to be a semantic benchmark for validating 
the implementation of PLEXIL executives such as the Universal Executive and a 
testbed for designers of the language to study new features or possible variants of the 
language. Additionally, by using a graphical interface [15], PLEXIL developers will 
be able to exploit the formal analysis tools provided by Maude to verify properties 
of actual plans. 

Rewriting logic is a logic of concurrent change in which a wide range of models 
of computation and logics can be faithfully represented. The rewriting semantics of 
a synchronous language such as PLEXIL poses interesting practical challenges be- 
cause Maude implements the maximal concurrency of rewrite rules by interleaving 
concurrency. That is, although rewriting logic allows for concurrent synchronous 
specifications at the mathematical level, Maude executes the rewrite rules by inter- 
leaving concurrency. To overcome this problem, we develop a serialization procedure 
that allows for the simulation of a synchronous relations via set rewriting systems. 
This procedure is presented in a library of abstract set relations that we have written 
in PVS. The procedure is sound and complete for the synchronous closure of any 
deterministic relation under the maximal redexes strategy. 

We have used the rewriting logic semantics of PLEXIL to validate the semantics 
of PLEXIL against a wide variety of plan examples. We report on the findings of 
two issues of PLEXIL ’s original semantics that were discovered with the help of the 
rewriting logic semantics of PLEXIL presented in this paper: the first was found 
at the level of the atomic relation for which undesired interleaving semantics were 
introduced in some computations, and the second was found at the level of the 
micro relation for which spurious infinite loops were present in some computations. 
Solutions to both issues were provided by the authors, and have been adopted in 
the latest version of PLEXIL semantics. 

Summarizing, the contributions presented in this paper axe: 
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• The rewriting logic specification of PLEXIL semantics. 

• A library of abstract set relations suitable for the definition and verification 
of synchronous relations. 

• A serialization procedure for the simulation of synchronous relations by rewrit- 
ing, and an equational version of it in rewriting logic for deterministic syn- 
chronous relations. 

• The findings on two issues in the design of the original PLEXIL semantics, 
and the corresponding solutions that were adopted in an updated version of 
the language semantics. 

Outline of the paper. This paper is organized as follows. Background on rewrit- 
ing logic and its relation to Structural Operational Semantics are summarized in 
Section 2. In Section 3, we present the library of set relations, including the sound- 
ness and completeness proof of the serialization procedure. Section 4 describes the 
rewriting logic semantics of PLEXIL. In Section 5, we discuss preliminary results. 
Related work and concluding remarks are presented in Section 6. 


2 Rewriting Logic and Structural Operational Seman- 
tics 

Rewriting logic [11] is a general semantic framework that unifies in a natural way 
a wide range of models of concurrency. Language specifications can be executed in 
Maude, a high-performance rewriting logic implementation, and benefit from a wide 
set of formal analysis tools available to it, such as Maude’s LTL Model Checker, for 
instance. 

A rewriting logic specification or theory is a tuple 1Z = (X, E U A, R) where: 

• (X, EU A) is a membership equational logic theory with X a signature having a 
set of kinds, a family of sets of operators, and a family of disjoint sets of sorts; 
E a set of X-sentences, which are universally quantified Horn clauses with 
atoms that are equations ( t = t') and memberships (t : s), with t, t' terms 
and s a sort; A a set of “structural” axioms (typically associativity and/or 
commutativity and/or identity) such that there exists a matching algorithm 
modulo A producing a finite number of A-matching substitutions; and 

• R a set of universally quantified conditional rewrite rules of the form 

(VX) r : t — ♦ t! if f\ui = u[ A f\ Vj : Sj A wi — * w[ 

i j l 

where X is a set of sorted variables, r is a label, t, t', Ui, u', Vj, Wj and w'- are 
terms, and Sj are sorts. A condition of a rule is called an equational condition 
if it does not contain atoms of the form wi — > w[. 


3 



Intuitively, 72 specifies a concurrent system , whose states are elements of the 
initial algebra T-^/eua specified by the theory (E, E U A) and whose concurrent 
transitions are specified by the rules R. Concurrent transitions are deduced accord- 
ing to the set of inference rules of rewriting logic, which are described in detail in [3] 
(together with a precise account of the more general forms of rewrite theories and 
their models). Using these inference rules, a rewrite theory 72 proves a statement of 
the form (VX) t — > t', written as 72 I- (VX) t — > t 1 , meaning that, in 72, the state 
term t can transition to the state term t' in a finite number of steps. A detailed dis- 
cussion of rewriting logic as a unified model of concurrency and its inference system 
can be found in [11]. 

We have a one-step rewrite [£].eua — y n [t']EuA in 72 iff we can find a term 
u € [£]jEuA such that u can be rewritten to v using some rule r : a — > b if C £ R. in 
the standard way (see [6]), denoted u — >r v, and we furthermore have v e [t']E\jA- 
For arbitrary E and R, whether [t\EuA — >1Z \t']EvA holds is in general undecidable, 
even when the equations in E are confluent and terminating modulo A. Therefore, 
the most useful rewrite theories satisfy additional executability conditions under 
which we can reduce the relation [t]EuA — y n [t']EuA to simpler forms of rewriting 
just modulo A, where both equality modulo A and matching modulo A are decidable. 

The first condition is that E should be ground confluent and terminating modulo 
A [6]. This means that in the rewrite theory 1Z E /A = (E, A, E), (i) all rewrite 
sequences terminate, that is, there are no infinite sequences of the form [£i]a — y n E/A 
[h]A • ■ ■ [t n ]A — *n E/A [t n +i]A ■ ■ • , and (ii) for each [t\ A e T E / A there is a unique A- 
equivalence class [can E / A fl)\ A € T E / A called the E-canonical form of [£]a modulo A 
such that there exists a terminating sequence of zero, one, or more steps [t] A ¥ Ke/a 
[can E/A (t)]A- 

The second condition is that the rules R should be coherent [21] relative to the 
equations E modulo A. This precisely means that, if we decompose the rewrite 
theory 72 = (E, E U A,R ) into the simpler theories Re /A = (E ,A,E) and Rr/a = 
(E,A, R), which have decidable rewrite relations — y n E/A and — y n Ii/A because of 
the assumptions of A, then for each A-equivalence class [t] A such that [t\ A — y n R/A 
\t'\ A we can always find a corresponding rewrite [can E / A (t)] A — y n R/A [ t"]A such 
that [can^/A^OU = [^^e/a{1")\a- Intuitively, coherence means that we can always 
adopt the strategy of first simplifying a term to canonical form with E modulo A, 
and then apply a rule with R modulo A to achieve the effect of rewriting with R 
modulo E U A. 

The conceptual distinction between equations and rules has important conse- 
quences when giving the rewriting logic semantics of a language I as a rewrite 
theory 72 l = (E l,E e U Al,Rl)- Rewriting logic’s abstraction dial [12] captures 
precisely this conceptual distinction. One of the key features of Structural Opera- 
tional Semantics is that it provides a step-by-step formal description of a language’s 
evaluation mechanisms [14]. Setting the level of abstraction in which the interleav- 
ing behavior of the evaluations in L is observable, corresponds to the special case in 
which the dial is turned down to its minimum position by having E e D A e = 0. The 
abstraction dial can also be turned up to its maximal position as the special case in 
which Rl = 0, thus obtaining an equations! semantics of the language. In general, 
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we can make a specification as abstract as we want by identifying a subset R' L C R L 
such that the rewrite theory (Ify, El U Al U R' l , Rl \ R'l ) satisfies the executability 
conditions aforementioned. We refer the reader to [12, 17, 19] for an in-depth pre- 
sentation of the relationship between structural operational semantics and rewriting 
logic semantics, and the use of equations and rules to capture in rewriting logic the 
dynamic behavior of language semantics. 

The conceptual distinction between equations and rules also has important prac- 
tical consequences for program analysis, because it affords massive state space re- 
duction which can make formal analyses such as breadth-first search and model 
checking enormously more efficient. Because of state-space explosion, such anal- 
yses could easily become infeasible if we were to use a specification in which all 
computation steps are described with rules. 


3 A Rewriting Library for Synchronous Relations 

When designing a programming language, it is useful to be able to define its semantic 
relation, to formally prove properties of this relation and to execute it on particular 
programs. However, defining such a semantic relation and formally reasoning about 
it is generally difficult, time consuming, and error-prone. This would be a major 
endeavor if it had to be done from scratch for each language. Moreover, since 
programming languages tend to evolve constantly, tools must allow reusing parts of 
former developments to support rapid yet correct prototyping. 

Fortunately, small-step operational semantic relations are, in general, built from 
simple relations with a limited number of operations, such as reflexive-transitive 
extension, reduction to normal form, parallel extension, etc. As a minimum, the 
framework should include a library containing the definitions of these operations 
and formal proofs of their properties. This will considerably reduce the amount of 
work needed to define the semantic relation of particular programming languages 
and formally prove their properties. Defining the semantic relation of synchronous 
languages requires defining the synchronous extension of an atomic execution re- 
lation, an operation that has been much less formally studied than other relation 
operations such as the reflexive-transitive extension or the parallel extension. 

We present in this section a first attempt to design a framework for rapid yet 
correct prototyping of semantic relations, in particular of synchronous languages. 
This framework allows for defining semantic relations, executing them on particular 
programs and formally proving some of their properties using general theorems 
about the operations that permit building relations from relations. We have been 
experimenting with this framework using various versions of the PLEXIL language 
(see Section 4). 

The definitions and properties presented in Section 3.1 have been developed in 
PVS. The Maude engine is used for executing the semantic relations on particular 
programs. The full development of the framework, including the formal semantics 
of PLEXIL, is available from http://research.nianet.org/fm-at-nia/PLEXIL. 
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3.1 Set Relations and Determinism 

Let — > be a binary relation on a set T. We say that a G T is a redex if there exists 
a' G T such that a — > a', and that it is a normal form otherwise. We denote by 
— and — >*, the identity relation, n-fold composition, and reflexive-transitive 
closure of — », respectively. 

In addition to the above relations, we also define the normalized reduction rela- 
tion — of — 

Normalized reduction a—*^a r if and only if a—>*a’ and a' is a normal form. 

Henceforth, we assume that the relation — > is defined on sets over an abstract 
type T, i.e., — > C V(T)xV(T). We define the asynchronous extension of — ►, denoted 

-5>, as the congruence closure of — > and the parallel extension of — denoted A, as 
the parallel closure of — >. 

Asynchronous extension a -5> a' if and only if there exist sets b and b' such that 
b C a, b 7^ 0, b — > b' and a' = (a \ b) U b' . 

Parallel extension a A a' if and only if there exist b \, . . . , b n , nonempty, pairwise 
disjoint subsets of a, and sets b[, . . . , b' n such that h — > b[ and a' — (a \ |Ji h) U U fy- 

The definition of a synchronous reduction requires the definition of a strategy 
that selects the redexes to be synchronously reduced. 

Strategy A strategy is a function mapping elements a G V(T) into bi,...,b n , 
nonempty, pairwise disjoint subsets of a such that all bi are redexes for — >. 

Synchronous extension Let s be a strategy, a A a' if and only if there exist 
b[, ...,b' n such that s(a ) = {&i, . . . , b n }, bi — > &■ and a' = (a\ U* &*) u U* K- 

A natural way of defining strategies is via priorities. A priority is a function p 
that maps elements a G V(T) into natural numbers. 

Maximal redex Let a G V(T) and let p be a priority function. A nonempty subset 
b of a is said to be a maximal redex of a if it is a redex, and for all nonempty subsets c 
of a such that c is a redex, c^b and cfi6 0, we have p{b) > p(c). By construction, 
the set of maximal redexes of a set are pairwise disjoint. The maximal redexes 
strategy is the function that, given a priority function, maps elements a G V(T) into 
the set of its maximal redexes. 

In addition to the definition of the relation operators presented here, our library 
includes formal proofs of properties related to determinism and compositionality for 
abstract set relations. In this paper, we will focus on determinism as this property 
is fundamental to the specification of synchronous relations in rewriting logic. 

Determinism A binary relation — > defined on a set T is said to be deterministic 
if for all a, a' and a” in T, a — » a' and a — > a" implies a' = a". 
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Determinism is a stronger property than confluence, i.e., a deterministic relation 
is also confluent, but a confluent relation is not necessarily deterministic. 

Proposition 3.1 (Determinism of — > n , — 4 and A). If the relation — * is determin- 
istic, then so are the relations — > n , —4, and A. 

In contrast, even if the relation — > is deterministic, the relations — >*, A and — J 
are not always deterministic. 

3.2 Executing Semantic Relations 

Executing the semantic relation of a programming language is desirable during the 
design phase of the language. In particular, it allows the designer of the features 
to experiment with different semantic variants of the language before implementing 
them. 

Rewrite systems are a computational way of defining binary relations. Since our 
formalism is based on set relations, we consider rewrite systems on an algebra of 
terms of type T modulo associativity, commutativity, identity, and idempotence: the 
basic axioms for the union of sets. We denote the equality on terms of this algebra 
by =acui ■ The relation — > defined by a rewrite system 1Z is defined as follows. 

Relation defined by a rewrite system a — ► b if and only if there exists a rewrite 
rule l — > r in 72 and a substitution a such that a =acui ol and b =acui or. 

We remark that the previous definition uses the substitution closure of the 
rewrite system, rather than the more traditional definition based on the congru- 
ence closure. For example, if we consider the rewrite system 

A(x) — > B(x), 

we have that 4(0) — > B{ 0) and 4(1) — > B(l). On the other hand, .4(0), 4(1) is not 
a redex for — 

The synchronous extension of a relation — > challenges the standard asynchronous 
interpretation of rewrite systems. Consider again the previous example. The asyn- 
chronous extension of — > defined in Section 3.1, which indeed encodes the con- 
gruence closure, relates 4(0), 4(1) A R(0),4(l) and 4(0), 4(1) A ^4(0), B(l). 
However, it does not relate 4(0), 4(1) to B(0),B(1), which corresponds to the 
parallel reduction of both 4(0) and 4(1). In this particular case, we have that 
4(0),4(1)Ah(0),4(1)Ar(0),R(1). 

s □ * 

We remark that if a — > b, for a strategy s, then a— » b. However, in order to select 
the redexes to be reduced, we need additional machinery. In particular, we need 
to keep a log book of redexes that need to be reduced and redexes that have been 
already reduced. We propose the following procedure to implement the synchronous 
extension of a relation — for a strategy s, in an asynchronous rewrite engine, such 
as Maude. 

Serialization procedure Given a term a e 'P(T), we compute a term b as follows. 
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1. Reduce the pair (|J s(a) ; 0) to a normal form (0 ; a') using the following 
rewrite system: 


(a,i,c ; d) — ♦ (c;a-,d), 


where a* — » a[. 

2. The term b is defined as a \ U s(a) U a'. 

Since a strategy is a set of redexes, and this set is finite, the procedure is well- 
defined, i.e., it always terminates and returns a term. However, the procedure is not 
necessarily deterministic. 

In our previous example, we want to apply the procedure to A(0), A(l),5(l) 
using the maximal redexes strategy (assuming that all terms have the same pri- 
ority). Since maxp({A(0), A(l),5(l)}) = (A(0), A(l)}, we have to reduce the pair 
(j4(0),j 4(1) ; 0), to its normal form (0 ; 5(0), 5(1)). Then, we compute 

{A(0),A(1),5(1)} \ {A(0),A(1)} U (5(0), 5(1)}, 

which is equal to 5(0), 5(1). We check that A(0), A(l),5(l) A 5(0), 5(1). 

Theorem 3.2 (Correctness of serialization procedure). The serialization procedure 
is sound, i.e., if the procedure returns b from a, then a A b. Furthermore, if — ► is 
deterministic, the procedure is complete, i.e., if a A b then the procedure returns b 
from a. 

Proof. Soundness Assume that the procedure returns b — a\U s(a)Ua' from a. We 
have to prove that a A b. Let s(a) = (oi, . . . , a„}, where a* C a, for 1 < i < n. 
From the definition of a strategy, the elements in s(a ) are pairwise disjoint. 
Then, from the procedure, a' = a [, . . . , a' n , where a* — ► for 1 < i < n. Let 
cCabe such that none of the subsets of c is in s(a). Then, a has the form 
a = oi, . . . , a n , c. Hence, b = a[, ... , a' n , c. By definition of A, we have that 
oti, ■ ■ ■ , a n , c * a i, . . . , (iji, c. 

Completeness In this case, it suffices to note that by Proposition 3.1, if — > is deter- 
ministic, then A is deterministic. Therefore, the normal form of ((J s(a ) ; 0) 
is unique and the procedure returns a unique b = a \ (J s(a) U a! . This b is the 
only term that is related to a in the relation A. 

□ 


4 Rewriting Logic Semantics of PLEXIL 

The framework presented in Section 3 is abstract with respect to the elements in 
the set T and the basic set relation — If we consider that T is a set of PLEXIL 
nodes and — > is PLEXIL’s atomic relation, we can deduce by Proposition 3.1 that, 
since PLEXIL’s atomic relation is deterministic [7] , PLEXIL’s micro and quiescence 
relations are deterministic as well. Therefore, we can use the serialization procedure 
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presented in Section 3.2 to implement a sound and complete formal interpreter of 
PLEXIL in Maude. 

In this section, we describe in detail the specification of such an interpreter. 
We only discuss the atomic and micro relations since they are the most interesting 
for validating the synchronous semantics of PLEXIL. More precisely, we present 
the rewrite theory IZpxl = (S PX l, E PX l U A pxl ,.R pxl ), specifying the rewriting 
logic semantics for PLEXIL’s atomic and micro relations. We use the determinism 
property of PLEXIL’s atomic relation to encode it as the computation rules in E PX l 
because it yields a confluent equational specification. Consequently, the serialization 
procedure for PLEXIL’s synchronous semantics into rewriting logic can be defined 
equationally, thus avoiding the interleaving semantics associated with rewrite rules 
in Maude. Of course, due to the determinism property of the language, one can 
as well turn up the “abstraction dial” to its maximum by making the rewrite rules 
i? PX L into computational rules. This will result in a faster interpreter, for example. 
Nevertheless, we are interested in PLEXIL semantics at the observable level of the 
micro relation. Therefore, in the rewrite theory 7 £ PX l: (i) the equational theory 
(£ PX l,E PX l U A PX l) defines the semantics of the atomic relation and specifies 
the serialization procedure for the synchronous semantics of PLEXIL, and (ii) the 
rewrite rules /?, PX l define the semantics of the micro relation. 

In this Section we assume the reader is familiar with the syntax of Maude [5]. 

4.1 PLEXIL Syntax 

A PLEXIL plan is a tree of nodes representing a hierarchical decomposition of 
tasks. The interior nodes in a plan provide the control structure and the leaf nodes 
represent primitive actions. The purpose of each node determines its type : List 
nodes group other nodes and provide scope for local variables, Assignment nodes 
assign values to variables (they also have a priority, which serves to solve race 
conditions between assignment nodes), Command nodes represent calls to commands, 
and Empty nodes do nothing. Each PLEXIL node has gate conditions and check 
conditions. The former specify when the node should start executing, when it should 
finish executing, when it should be repeated, and when it should be skipped. Check 
conditions specify flags to detect when node execution fails due to violations of pre- 
conditions, post-conditions, or invariants. Declared variables in nodes have lexical 
scope, that is, they are accessible to the node and all its descendants, but not siblings 
or ancestors. The execution status of a node is given by status such as Inactive, 
Waiting, Executing, etc. The execution state of a plan consists of (i) the external 
state corresponding to a set of environment variables that are accessed through 
lookups on environment variables, and the internal state which is a set of nodes and 
(declared) variables. 

Figure 1 illustrates with a simple example the standard syntax of PLEXIL. In 
this particular example, the plan tasks are represented by the root node Saf eDrive, 
the interior node Loop, and the leaf nodes OneMeter, TakePic and Counter. OneMeter 
and TakePic are, for example, nodes of type Command. The node Counter has two 
different conditions: Start is a gate condition constraining the execution of the 
assignment to start only when the node TakePic is in state Finished, while Pre is 
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List SafeDrive { 
int pictures = 0; 

End: 

LookupOnChange (WheelStuck) == true OR pictures == 10; 
List Loop { 

Repeat-while : 

LookupOnChange (WheelStuck) == false; 

Command OneMeter { 

Command: Drive (1); 

} 

Command TakePic { 

Start: OneMeter . status == FINISHED AND pictures < 10; 
Command: TakePicture () ; 

} 

Assignment Counter { 

Start: TakePic . status == FINISHED; 

Pre: pictures < 10; 

Assignment: pictures := pictures +1; 

} 

} 

} 


Figure 1. SafeDrive: A PLEXIL Plan Example 


a check condition for the number of pictures to be less than 10. The internal state 
of the plan at a particular moment is represented by the set of all nodes of the plan, 
plus the value of the variable pictures, while the external state of the plan contains 
the (external) variable WheelStuck. 

The external state of a plan is defined in the module EXTERNAL-STATE-SYNTAX. 
The sort ExternalState represents sets of elements of sort Pair, each of the form 
(name, value)-, we assume that the sorts Name and Value, specifying names and 
values, respectively, have been defined previously in the functional modules NAME 
and VALUE, respectively. 

fmod EXTERNAL-STATE-SYNTAX is 
protecting Name . 
protecting Value . 
sort Pair . 

op : Name Value -> Pair . 

sort ExternalState . 
subsort Pair < ExternalState . 
op mtstate : -> ExternalState . 

op : ExternalState ExternalState -> ExternalState [assoc comm id: mtstate] . 

eq ES :ExternalState , ES : ExternalState = ES : ExternalState . 
endfm 


The internal state of a plan is represented with the help of Maude’s built- 
in C0NF module supporting object based programming. The internal state has 
the structure of a set made up of objects and messages, called configurations in 
Maude, where the objects represent the nodes and (declared) variables of a plan. 
Therefore, we can view the infrastructure of the internal state as a configuration 
built up by a binary set union operator with empty syntax, i.e., juxtaposition, 
as __ : Configuration x Configuration — > Configuration. The operator __ is 
declared to satisfy the structural laws of associativity and commutativity and to 
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have identity mtconf . Objects and messages are singleton set configurations and 
belong to subsorts Object, Msg < Configuration, so that more complex con- 
figurations are generated out of them by set union. An object , representing a 
node or a (declared) variable, in a given configuration is represented as a term 
(O : C \ ai : Vi, ... ,a n : v n ), where O is the object’s name or identifier (of sort 
Oid), C is its class (of sort Cid), the a*’s are the names of the object’s attribute 
identifiers, and the vfs are the corresponding values. The set of all the attribute- 
value pairs of an object state (of sort Attribute) is formed by repeated application 
of the binary union operator _, _ which also obeys structural laws of associativity, 
commutativity, and identity, i.e., the order of the attribute- value pairs of an ob- 
ject is immaterial. The internal state of a plan is defined in the functional module 
INTERNAL-STATE-SYNTAX by extending the sort Configuration; the sorts Exp and 
Qualified, which we assume to be defined, are used to specify expressions and 
qualified names, respectively. 

fmod INTERNAL-STATE-SYNTAX is 
extending CONFIGURATION . protecting EXP . 
protecting QUALIFIED . 

subsort Qualified < Oid . Qualified elements are object identifiers 

ops List Command Assignment Empty : -> Cid . Types of nodes 

sort Status . 

ops Inactive Waiting Executing Finishing Failing Finished 
IterationEnded Variable : -> ExecState . 
sort Outcome . 

ops None Success Failure : -> Outcome . 

op status: : Status -> Attribute . Status of execution 

op outcome: : Outcome -> Attribute . Outcome of execution 

ops start: skip: repeat: end: : Exp -> Attribute . Gate conditions 

ops pre: post: inv: : Exp -> Attribute . Check conditions 

op command: : Exp -> Attribute . Command of a command node 

op assignment: : Exp -> Attribute . Assignment of an assignment node 

ops initval actval: Exp -> Attribute . Initial and actual values 

of a variable node 

endfm 

Using the infrastructure in INTERNAL-STATE-SYNTAX, the internal state of SafeDrive 
in Figure 1, is represented by the configuration in Figure 2. Observe that the sort 
Qualified provides qualified names by means of the operator 

: Qualified x Qualified— > Qualified, 

which we use to maintain the hierarchical structure of the plans. The dots at the 
end of each object represent the object’s attributes that are not explicitly defined 
by the plan but that are always present in each node such as the status or the 
outcome. There is a “compilation procedure” from PLEXIL plans to their cor- 
responding representation in Maude, that we do not discuss in this paper, which 
includes all implicit elements of a node as attributes of the object representation of 
the node. 

We are now ready to define the sort State representing the execution state of the 
plans in the functional module STATE-SYNTAX, by importing the syntax of external 
and internal states: 
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< SafeDrive : List | end: LookupOnChange (WheelStuck) == true OR 

pictures == 10, ... > 

< Loop . SafeDrive : List | repeat: LookupOnChange (WheelStuck) == false , ... > 

< OneMetter . Loop . SafeDrive : Command | command: Drive (1), ... > 

< TakePic . Loop . SafeDrive : Command | start: OneMeter . Status == 

Finished and pictures < 10, command: TakePicture ( ) , ... > 

< Counter . Loop . SafeDrive : Assignment | pre: pictures < 10, 
assignment: pictures := pictures +1, ... > 

< pictures . SafeDrive : Memory | initval: 0, actval: 0 > 


Figure 2. SafeDrive in 72-pxl 


fmod STATE-SYNTAX is 
pr EXTERNAL- STATE- SYNTAX . 
pr INTERNAL- STATE- SYNTAX . 
sort State . 

op : ExternalState Configuration -> State . 

endfm 

We adopt the syntax T h -k to represent the execution state of the plans, where 
T and 7 r are the external and internal states, respectively. 

4.2 PLEXIL Semantics 

PLEXIL execution is driven by external events. The set of events includes events 
related to lookup in conditions, e.g., changes in the value of an external state that 
affects a gate condition, acknowledgments that a command has been initialized, 
reception of a value returned by a command, etc. We focus on the execution se- 
mantics of PLEXIL specified in terms of node states and transitions between node 
states that are triggered by condition changes (atomic relation) and its synchronous 
closure under the maximal redexes strategy (micro relation). 

PLEXIL ’s atomic relation consists of 42 rules. These rules are indexed by the 
type and the execution status of nodes into a dozen groups. Each group associates 
a priority to its set of rules which defines a linear order on the set of rules. 

The atomic relation is defined by (r, 7 r) I - P — > a P', where P C 7 r. For instance, 
the four atomic rules corresponding to the transitions from Executing for nodes of 
type Assignment are depicted in Figure 3. Rule r 3 updates the variable x to the 
value of the expression e in the given state, when the expressions associated with 
the gate condition End and the check condition Post of node A, both evaluate to 
true in the given state. In rule ri, AncInv(A) is a predicate, parametric in the name 
of nodes, stating that none of the ancestors of A has changed the value associated 
with its invariant condition to false. The value _L represents the special value 
“Unknown”. We use (T, 7r) h e v to denote that expression e evaluates to value 
v in state T h 7r; by abuse of notation, we write (r,7r) b e -/> v to denote that 
expression e does not evaluate to value v in (r,7r). 

The relation r < s between the labels of two different rules specifies that the 
rule r is only applied when the second rule s cannot be applied. That is, the 
binary relation on rules defines the order of their application when deriving atomic 
transitions. So, a rule r can be used to derive an atomic transition if all its premises 
are valid and no rule higher than r (in its group) is applicable. In the case of 
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(r, 7r) h AncInv(A) false A. body = x := e 

A. type = Assignment A.status = Executing 

n 

(r, 7r) h Node A — > a Node A with [status = Finished, x = ± , outcome = Failure] 

(r, 7r) h A.Invariant false A.body = x := e 

A. type = Assignment A.status = Executing 

r 2 

(r, 7 r) h Node A — > a Node A with [status = IterationEnded , x = ± , outcome = Failure] 

(r, 7r) h A. End true A.body = x := e 
(r, 7 r) h A. Post true (r, 7r) h e w 

A. type = Assignment A.status = Executing 

r 3 

(r, 7r) h Node A — > 0 Node A with [status = IterationEnded, x = w, outcome = Success] 

(r, 7 r) h A. End true (r, n) h A. Post -/*• true 

A. type = Assignment A.status = Executing 

— 

(r, 7 r) I- Node A — > a Node A with [status = IterationEnded , outcome = Failure] 

{r 4 < r 3 < r 2 < rfy 


Figure 3. Atomic rules corresponding to the transitions from Executing for nodes 
of type Assignment 


PLEXIL’s atomic relation, the binary relation < on rules is a linear ordering. This 
linearity is key to the determinism of PLEXIL (see [8]). 

The micro relation F h 7r — > m tc', the synchronous closure of the atomic relation 
under the maximal redexes strategy, is defined as: 


(r, 7 r) h Pi — > 0 Q i 
(r, 7 r) h P n — > a Q n 


F I- 7T (7T \ |J Pi) U |J Q , 


Micro 


l<i<n 


l<i<n 


where M w = {Pi , . . . , P n } is the set of node and memories in 7r that are affected by 
the micro relation. If two different processes in 7r, say A and B, write to the same vari- 
able, only the update of the process with higher priority is considered (assignment 
nodes have an associated priority always), e.g., A if A. priority > B. priority, B 
if B. priority > A. priority, and none otherwise. 

In order to specify the PLEXIL semantics in Maude, we first define the infrastruc- 
ture for the serialization procedure in the the module SERIALIZATION-INFRASTRUCTURE. 


fmod 

SERIALIZATION- 

INFRASTRUCTURE is 




inc 

STATE-SYNTAX . 






op 

: Old 

Cid AttributeSet -> Object . 

New syntactic sugar for objects 

op 

updateStatus 

: Qualified 

Status 

-> Msg . 

Update 

status message 

op 

updateOutcome 

: Qualified 

Outcome 

-> Msg . 

Update 

outcome message 

op 

updateVariable 

: Qualified 

Value 

-> Msg . 

Update 

variable message 
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op applyUpdates : State -> State . Application of updates 

var Gamma : ExternalState . var Pi : InternalState . 

eq applyOpdates (Gamma |- [ A:Oid : C:Cid | Att : AttributeSet status: S: Status ] 

updateStatus (A:Oid , S':Status) Pi) 

= applyOpdates (Gamma |- [ A:Oid : C:Cid | 

Att : AttributeSet status: S': Status ] Pi) . 
eq applyOpdates (Gamma |- [ A:Oid : C:Cid | Att : AttributeSet ] Pi) 

= applyOpdates (Gamma |- < A:Oid : C:Cid | Att : AttributeSet > Pi) . 

eq applyOpdates (St : State) = St: State [owise] . 
endfm 


Following the idea of the serialization procedure, we distinguish between un- 
primed and primed redexes by using syntactic sugar for denoting objects in the 
Maude specification: unprimed redexes are identified with the already defined syn- 
tax for objects in the form of (O : C | ...) and primed redexes are identified with 
the new syntax for objects in the form of [O : C | ...]. We use messages, i.e., 
elements in the sort Msg, to denote the update actions associated with the reduc- 
tion rules for the atomic relation; we accumulate these messages in the internal 
state of the execution state of the plans, i.e., we also use the internal state in the 
spirit of the log book of the serialization procedure. For example, the configuration: 
updateStatus (A , IterationEnded) 
updateVariable (x , w) 
updateOutcome (A , Success) 

corresponds to the update actions in the conclusion of rule in Figure 3. The 
function applyUpdates applies all the existing updates in the internal state and 
“unprimes” the “primed” nodes. In the specification above, it is shown how the 
status of a node is updated and how primed nodes become unprimed. 

We give the equational serialization procedure in the general setting in which we 
consider a linear ordering on the rules. 

Equational serialization procedure (with priorities) Let 

{ri : (r,7r) h Node A — > a Node A with [updatesi] if Ci}i<i<„, 

be the collection of atomic rules (in horizontal notation) defining the transition 
relation for nodes of type T in status S, with r n < • • • < r* < ■ ■ ■ < n, where 

updates! is the set of update actions (the order in the update actions is irrelevant) 

in the conclusion of r, and Ci is the set of premises of r*. The equational serialization 
procedure is given by the following set of equations, in Maude notation, defining the 
function symbol, say, r : 

var Gamma : ExternalState . var A : Oid . var S : Status . 

var Pi : Configuration . var T : Cid . var Attr : AttributeSet . 

op r : State -> State . 

eq r ( Gamma | - < A : T | status : S , Attr > Pi ) 

= if Cl == true then r ( Gamma | — [ A : T | status : S , Attr ] 
messages (updatesl) Pi ) 
else if C2 == true 

. . . else if Cn == true then r ( Gamma | — [ A : T | status: S , Attr ] 

messages (updatesn) Pi ) 

else r( Gamma | — [ A : T | status: S , Attr ] Pi ) fi 

fi ... 

fi . 

eq r( Gamma [-Pi ) = Gamma |— Pi [owise] . 
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where messages(updadatesi) represents the message configuration associated with 
the update actions in the conclusion of rule rj. 

The equational serialization procedure defines a fresh function symbol, say, r : 
State — » State. The first equation for r tries to apply the atomic rules in the 
given order, by first evaluating the condition and then marking the affected node. 
If the condition evaluates to true, then update messages are generated. The second 
equation, removes the function symbol r when there aren’t any more possible atomic 
reductions with the rules {r*}. 

The atomic relation is defined in the functional module ATOMIC-RELATION by 
instantiating the equational serialization procedure for each one of the twelve groups 
of atomic rules with a different function symbol for each one. 

Finally, the micro relation is defined by the rule micro in the system module 
PLEXIL-RLS, which materializes the rewrite theory TZpxl in Maude: 

mod PLEXIL-RLS is 
pr ATOMIC-RELATION . 
pr SERIALIZATION-INFRASTRUCTURE . 

rl [micro] : Gamma | — Pi => Gamma |- applyUpdates (al ( . . . al2 ( Gamma |— Pi )...)) . 

endm 

where ai,...,ai2 are the function symbols in ATOMIC-RELATION defining the 
serialization procedure for each one of the twelve groups of rules. 

5 Preliminary Results 

We have used TZpxl to validate the semantics of PLEXIL against a wide variety 
of plan examples. We report on the following two issues of the original PLEXIL 
semantics that were discovered with the help of 1Z pxl'- 

1. Non-atomicity of the atomic relation. A prior version of the atomic rules 
r,3 and r 4 for Assignment nodes in state Executing, presented in Figure 3, 
introduced an undesired interleaving semantics for variable assignments, which 
invalidated the synchronous nature of the language. 

2. Spurious non-termination of plans. Due to lack of detail in the original spec- 
ification of some predicates, there were cases in which some transitions for 
List nodes in state IterationEnded would lead to spurious infinite loops. 

Although the formal operational semantics of PLEXIL in [8] has been used to 
prove several properties of PLEXIL, neither one of the issues was previously found. 
As as matter of fact, these issues do not compromise any of the proven proper- 
ties of the language. Solutions to both issues were provided by the authors, and 
have been adopted in the latest version of the formal PLEXIL semantics. We are 
currently using TZpxl as the formal interpreter of PLEXIL ’s Formal Interactive Vi- 
sual Environment [15] (PLEXIL5), a prototype graphical environment that enables 
step-by-step execution of plans for scripted sequence of external events, for further 
validation of the language’s intended semantics. 
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We have also developed a variant of 72 -pxl in which the serialization procedure 
was implemented with rewrite rules, instead of equations, and rewrite strategies. In 
general, 7 ?.pxl outperforms that variant by two orders of magnitude on average, and 
by three orders of magnitude in some extreme cases. 

The rewrite theory 7?pxl has approximately 1000 lines of code, of which 308 lines 
correspond to the module ATOMIC-RELATION. The rest corresponds to the syntax and 
infrastructure specifications. 


6 Related Work and Conclusion 

Rewriting logic has been used previously as a testbed for specifying and animating 
the semantics of synchronous languages. M. AlTurki and J. Meseguer [1] have stud- 
ied the rewriting logic semantics of the language Ore, which includes a synchronous 
reduction relation. T. Serbanuta et.al. [16] define the execution of P-systems with 
structured data with continuations. The focus of the former is to use rewriting logic 
to study the (mainly) non-deterministic behavior of Ore programs, while the focus 
of the latter is to study the relationship between P-systems and the existing con- 
tinuation framework for enriching each with the strong features of the other. Our 
approach is more on exploiting the determinism of a synchronous relation to tackle 
the problem associated with the interleaving semantics of concurrency in rewriting 
logic. Lucanu [10] studies the problem of the interleaving semantics of concurrency 
in rewriting logic for synchronous systems from the perspective of P-systems. The 
determinism property of the synchronous language Esterel [2] was formally proven 
by O. Tardieu in [18]. 

We have presented a rewriting logic semantics of PLEXIL, a synchronous plan 
execution language developed by NASA to support autonomous spacecraft oper- 
ations. The rewriting logic specification relies on the determinism of PLEXIL’s 
atomic relation and a serialization procedure that enables the specification of a 
synchronous relation in an asynchronous computational model. Two issues in the 
original design of PLEXIL were found with the help of the rewriting logic specifi- 
cation of the language: (i) there was an atomic rule with the potential to violate 
the atomicity of the atomic relation, thus voiding the synchronous nature of the 
language, and (ii) a set of rules introducing spurious non-terminating executions of 
plans. We proposed solutions to these issues that were integrated into the current 
semantics of the language. 

Although we have focused on PLEXIL, the formal framework that we have de- 
veloped is presented in a general setting of abstract set relations. In particular, we 
think that this framework can be applied to other deterministic synchronous lan- 
guages. To the best of our knowledge there was no mechanized library of abstract 
set relations suitable for the definition and verification of synchronous relations; nei- 
ther are there a soundness and completeness proof of a serialization procedure for 
the simulation of synchronous relations by rewrite systems. 

To summarize, we view this work as (i) a step forward in bringing the use of 
formal methods closer to practice, (ii) a contribution to the modular and mechanized 
study of semantic relations, and (iii) yet another, but interesting contribution to the 
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rewriting logic semantics project. 

We intend to continue this work with the goal of arriving at a formal envi- 
ronment for the validation of PLEXIL. Such an environment would provide a rich 
formal tool to PLEXIL enthusiasts for the experimentation, analysis and verifica- 
tion of PLEXIL programs, which could then be extended towards a rewriting-based 
PLEXIL implementation with associated analysis tools. Part of our future work 
is also to investigate the modularity of the equational serialization procedure with 
prioritized rules. 
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